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We claim: 



1 1 . A computer operating system comprising a kernel, the kernel configured to encrypt and 

2 decrypt data transferred between a computer memory and a secondary device. 

1 2. The computer operating system of claim 1 , wherein the kernel comprises an encryption 

2 engine configured to encrypt clear data to generate cipher data, the encryption engine 

3 further configured to decrypt the cipher data to generate the clear data. 

1 3. The computer operating system of claim 2, further comprising a memory portion coupled 

2 to the encryption engine and configured to store the cipher data. 

1 4. The computer operating system of claim 2, wherein the encryption engine is configured to 

2 encrypt clear data and decrypt cipher data according to a symmetric key encryption 
algorithm. 

1 5. The computer operating system of claim 4, wherein the symmetric key encryption 

2 algorithm is based on a block cipher. 

1 6. The computer operating system of claim 5, wherein the symmetric key encryption 

2 algorithm comprises the Rijndael algorithm. 

1 7. The computer operating system of claim 6, wherein the symmetric key encryption 

2 algorithm uses a block size of 128 bits, 192 bits, 256 bits, 512 bits, 1024 bits, or 2048 

3 bits. 
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1 8. The computer operating system of claim 6, wherein the symmetric key encryption 

2 algorithm uses a key length of 128 bits, 192 bits, 256 bits, 512 bits, 1024 bits, or 2048 

3 bits. 

1 9. The computer operating system of claim 5, wherein the symmetric key encryption 

2 algorithm comprises a DES algorithm. 

1 10. The computer operating system of claim 5, wherein the symmetric key encryption 

2 algorithm comprises a Triple-DES algorithm. 

1 11. The computer operating system of claim 5, wherein the symmetric key encryption 

2 algorithm comprises an algorithm selected from the group consisting of IDEA, Blowfish, 

3 Twofish, and CAST- 128. 

1 12. The computer operating system of claim 1 , wherein the kernel comprises a UNIX 

2 operating system. 

1 13. The computer operating system of claim 12, wherein the UNIX operating system is a 

2 System V-Revision. 

1 1 4. The computer operating system of claim 3, wherein the memory portion comprises a first 

2 logical protected memory configured to store encrypted file data and a second logical 

3 protected memory configured to store encrypted key data. 

1 15. The computer operating system of claim 14, further comprising an encryption key 

2 management system, the encryption key management system configured to control access 

3 to the encrypted file data and the encrypted key data. 
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1 16. The computer operating system of claim 15, wherein the encryption key management 

2 system comprises a key engine, the key engine configured to receive a pass key and the 

3 file name to generate an encrypted file name key, the key engine further configured to use 

4 the encrypted file name key and file contents to generate an encrypted file contents key, 

5 the key engine further configured to encrypt the file contents with the encrypted file 

6 contents key to generate encrypted file contents. 

1 1 7. The computer operating system of claim 1 6, wherein the encryption key management 

2 system is configured to store encrypted file names, wherein the file names are associated 

3 with the encrypted file contents. 

1 1 8. The computer operating system of claim 1 7, wherein the encryption key management 

2 system is further configured to grant access to a file if a corresponding access permission 

3 of the file is a predetermined value. 

1 19. The computer operating system of claim 1 8, wherein the secondary device is accessed 

2 using a file abstraction. 

1 20. The computer operating system of claim 19, wherein the secondary device is a backing 

2 store. 

1 21. The computer operating system of claim 1 9, wherein the secondary device is a swap 

2 device. 

1 22. The computer operating system of claim 19, wherein the secondary device is a socket 

2 connection. 
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1 23. The computer operating system of claim 22, wherein the socket connection comprises a 

2 computer network. 

1 24. The computer operating system of claim 23, wherein the computer network comprises the 

2 Internet. 

1 25. The computer operating system of claim 17, wherein the encryption key management 

2 system is further configured to encrypt the pathname to the encrypted data, the encryption 

3 key management system further configured to decrypt the pathname to the encrypted data 

4 when retrieving encrypted file contents. 

1 26. A computer system comprising: 

2 a. a first device having an operating system kernel, the operating system kernel 

3 configured to encrypt clear data using an encryption key to generate cipher data, 

4 the first device further configured to decrypt the cipher data using the encryption 

5 key to generate the clear data; and 

6 b. a second device coupled to the first device and configured to exchange cipher data 

7 with the first device. 

1 27. The computer system of claim 26, wherein the operating system kernel is configured to 

2 encrypt the clear data and decrypt the cipher data using a symmetric algorithm. 

1 28. The computer system of claim 27, wherein the symmetric algorithm comprises a block 

2 cipher. 

1 29. The computer system of claim 28, wherein the block cipher comprises a Rijndael 

2 algorithm. 
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1 30. The computer system of claim 29, wherein the encryption key comprises at least 1024 

2 bits. 

1 31. The computer system of claim 26, wherein the second device comprises a backing store. 

1 32. The computer system of claim 26, wherein the second device comprises a swap device. 

1 33. The computer system of claim 26, wherein the second device comprises a 

2 communications channel. 

1 34. The computer system of claim 33, wherein the communications channel comprises a 

2 network. 

1 35. The computer system of claim 34, wherein the network comprises the Internet. 

1 36. A method of encrypting data, the method comprising: 

2 a. receiving clear data; and 

3 b. executing kernel code in an operating system, the kernel code using a symmetric 

4 key to encrypt the clear data to generate cipher data, the kernel code further using 

5 the symmetric key to decrypt the cipher data to generate the clear data. 

1 37. The method of claim 36, wherein the symmetric key encrypts the clear data to generate 

2 cipher data according to a block cipher. 

1 38. The method of claim 37, wherein the block cipher comprises a Rijndael algorithm. 
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1 39. The method of claim 37, wherein the block cipher comprises an algorithm selected from 

2 the group consisting of DES, triple-DES, Blowfish, and IDEA. 

1 40. The method of claim 36, wherein executing kernel code comprises: 

2 a. entering a pass key and a file name into a first encryption process to produce an 

3 encrypted file name and an encrypted file name key; and 

4 b. processing the file contents with the encrypting file name key to generate an 

5 encrypted file contents key and an encrypted file contents. 

1 41. The method of claim 40, further comprising: 

2 a. storing the encrypted file name key and the encrypted file contents key in a first 

3 protected area of a computer storage; and 

4 b. storing the encrypted file name and the encrypted file contents in a second 

5 protected area of the computer storage. 

1 42. The method of claim 36, wherein executing kernel code to encrypt clear data and decrypt 

2 cipher data is performed when data is transferred between a computer memory and a 

3 secondary device. 

1 43. The method of claim 42, wherein the secondary device comprises a backing store. 

1 44. The method of claim 42, wherein the secondary device comprises a swap device. 

1 45. The method of claim 42, wherein the secondary device comprises a communications 

2 channel. 

1 46. The method of claim 45, wherein the communications channel comprises a network. 
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1 47. The method of claim 46, wherein the network comprises the Internet. 

1 48. A computer system comprising: 

2 a. a processor; 

3 b. a physical memory; 

4 c. a secondary device coupled to the physical memory; and 

5 d. an operating system comprising a kernel, the kernel configured to encrypt and 

6 decrypt data transferred between the physical memory and the secondary device. 

1 49. The computer system of claim 48, wherein the kernel is configured to encrypt and decrypt 

2 data using a symmetric key encryption algorithm. 

1 50. The computer system of claim 49, wherein the symmetric key encryption algorithm is 

2 based on a block cipher. 

1 51. The computer system of claim 50, wherein the symmetric key encryption algorithm 

2 comprises the Rijndael algorithm. 

1 52. The computer system of claim 5 1 , wherein the kernel comprises a UNIX operating 

2 system. 

1 53. A method of accessing a file, the method comprising: 

2 a. authenticating a user; 

3 b. checking the user's permission to access the file; and 

4 c. encrypting the file using an encryption key. 
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1 54. The method of claim 53, wherein encrypting the file comprises: 

2 a. dividing the file into a plurality of file segments, each file segment having an 

3 associated file segment number; 

4 b. dividing each file segment into a plurality of corresponding file blocks; 

5 c. dividing the encryption key into a plurality of corresponding encryption key 

6 segments; 

7 d. permutating the corresponding encryption key segments using the associated file 

8 segment number and a first permutation function to produce a corresponding 

9 intermediate key; 

10 e. encrypting the corresponding file blocks using an encryption algorithm and the 

1 1 corresponding intermediate key to generate a corresponding first encrypted data; 

12 and 

1 3 f. permutating the corresponding first encrypted data using a second permutation 

14 function and the associated file number to generate corresponding final encrypted 

15 data. 

1 55. The method of claim 54, wherein the encryption algorithm comprises the Rijndael 

2 algorithm. 

1 56. The method of claim 53, wherein the first permutation function differs from the second 

2 permutation function. 

1 57. The method of claim 53, wherein each file segment is at least 1024-bits long. 

1 58. The method of claim 53, wherein the encryption key is at least 2048-bits long. 
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